--- name: post-tabletop-debrief description: Turns raw tabletop exercise notes into a structured debrief with timeline reconstruction, gap findings, action items with owners, and a board-ready summary. version: 1.0.0 author: VantagePoint Networks audience: IT Managers, BCP / DR Coordinators, CISOs, Crisis Management Leads, MSP Account Managers output_format: Formatted Markdown debrief with executive summary, timeline, observations, gap findings, prioritised action items, and an updated risk register entry. license: MIT --- # Post-Tabletop Debrief Tabletop exercises produce piles of sticky notes, transcript snippets, and "we should fix that" comments. This skill turns them into a defensible debrief that finance, regulators, and exec sponsors take seriously. ## How to use this skill 1. Download this `SKILL.md` file. 2. Place it in `~/.claude/commands/` (macOS / Linux) or `%USERPROFILE%\.claude\commands\` (Windows). 3. Run `/post-tabletop-debrief` in Claude Code. Provide the scenario, what happened, and the raw notes from observers + participants. Answer probing questions. Receive the debrief. ## When to use this - You've just finished a tabletop and the energy is high — capture before it fades. - Annual BCP / DR exercise needs a credible write-up for the BCP committee or auditor. - A regulator (FCA / NIS2 / DORA / sector-specific) requires evidence of crisis preparedness exercises. - A near-miss or real incident triggered an unscheduled tabletop and you want the lessons documented. - You're standardising tabletop practice across teams and need every exercise to produce the same shape of artefact. ## What you'll get - **Executive summary** — 5 lines, board-readable, includes overall verdict and headline gap. - **Exercise metadata** — scenario, scope, attendees, observers, duration. - **Reconstructed timeline** — what was injected, who responded, what decisions were made, when. - **Observations by domain** — Comms, Technical Response, Decision-making, Coordination, Documentation. - **Gap findings** — categorised: People, Process, Technology, Information. - **Action register** — every recommendation with owner, due date, success criterion. - **Updated risk register entry** — what we learned about the underlying risk. - **Comparison to previous exercise** — if applicable. - **Recommended next exercise** — scenario, scope, timing. ## Clarifying questions I will ask you 1. **Date and duration of the exercise?** 2. **Scenario in one paragraph?** (E.g. "Major ransomware incident affecting file servers Sunday 02:00, discovered Monday 07:30") 3. **Type of exercise?** (Tabletop discussion / walkthrough / simulation / parallel test / functional) 4. **Who participated?** (Roles — IC, Comms Lead, Technical Lead, Exec Sponsor, etc.) 5. **Who observed?** (Roles — observers don't participate, they record) 6. **What injects were delivered, in order, with timestamps?** 7. **What decisions were made, by whom?** 8. **What did NOT happen that should have?** (Often the most useful question) 9. **What surprised the participants?** (Reveals untested assumptions) 10. **Was there a deviation from the runbook? If yes, why?** 11. **What stop conditions were considered, and were any triggered?** 12. **Any prior tabletop in the last 12 months — outcome?** 13. **Required output audience?** (Internal IT / BCP committee / board / regulator / customer) ## Output template ```markdown # Tabletop Debrief — — YYYY-MM-DD **Exercise ID:** TT-YYYY-NNN **Conducted on:** YYYY-MM-DD **Duration:** N hours **Test type:** Tabletop / Walkthrough / Simulation / Parallel / Functional **Test Director:** **Exec Sponsor:** **Classification:** Internal / Internal-Restricted / Customer-Shareable / Regulator-shareable ## 1. Executive Summary > <5 lines, board-readable. Include: scenario, verdict (passed / passed with conditions / failed), headline gap, top recommendation, comparison to last exercise.> ## 2. Scenario <2-3 paragraphs describing what was simulated. Include the trigger event, what participants were told to assume, and what they were not told (the unknown unknowns).> ## 3. Scope - **In scope:** - **Out of scope:** - **Assumptions made:** ## 4. Participants & Observers ### Participants (active in the exercise) | Role | Name | Notes | |---|---|---| | Incident Commander | | | | Comms Lead | | | | Technical Lead | | | | Scribe | | | | Exec Sponsor | | | ### Observers (recording behaviour, not acting) | Domain | Observer | Notes | |---|---|---| | Comms | | | | Technical | | | | Leadership / governance | | | ## 5. Reconstructed Timeline | T+(min) | Inject / event | Owner | Decision / action | Notes | |---|---|---|---|---| | 0 | "VPN concentrator down at 02:00 Sunday" | Test Director | Participants discover scenario | — | | +5 | First responder paged | On-call | Acks within SLA | — | | +12 | "Backup VPN also affected" | Test Director (inject) | IC makes call to declare incident | Decision logged | | +20 | "Customers tweeting about login issues" | Test Director (inject) | Comms drafts statement, awaits exec sign-off | Sign-off took 18 min — flagged | | +35 | Comms statement published | Comms Lead | Posted to status page | — | | +45 | "Forensic logs show this is ransomware not just outage" | Test Director (inject) | IC escalates to ransomware playbook | Hand-off discussed | | +60 | Exec sponsor briefed | IC | Sponsor approves customer email + insurance notification | Agreed | | +90 | Exercise stopped | Test Director | Hot wash | — | ## 6. Observations by Domain ### Comms **Strengths:** - - **Weaknesses:** - - **Quotes (anonymised):** - "We had three different drafts before publishing — no template ready" ### Technical Response **Strengths:** - **Weaknesses:** - - ### Decision-making **Strengths:** - **Weaknesses:** - £50k emergency spend out-of-hours> - ### Coordination **Strengths / Weaknesses:** ### Documentation **Strengths / Weaknesses:** ## 7. Gap Findings (by category) ### People | # | Gap | Severity | |---|---|---| | P1 | Stand-in IC unfamiliar with ransomware playbook | High | | P2 | No backup Comms Lead identified | Medium | ### Process | # | Gap | Severity | |---|---|---| | Pr1 | Exec sign-off path for customer comms unclear out-of-hours | High | | Pr2 | Emergency spend authority not documented | High | | Pr3 | No comms templates pre-staged for ransomware | Medium | ### Technology | # | Gap | Severity | |---|---|---| | T1 | Status page provider login held by 2 people, both potentially affected | Medium | | T2 | War-room Teams channel must be created live; should be standing | Low | ### Information | # | Gap | Severity | |---|---|---| | I1 | Insurance notification timeline unknown to IC | Medium | | I2 | Customer contact list location not known to Comms Lead | Medium | ## 8. Action Register | # | Action | Category | Owner | Due | Success criterion | |---|---|---|---|---|---| | A1 | Document out-of-hours exec sign-off path with 2 backups | Process | CISO | YYYY-MM-DD | Path published, tested in next exercise | | A2 | Pre-stage ransomware comms templates (3 audiences) | Process | Comms Lead | YYYY-MM-DD | Templates in shared location, indexed | | A3 | Cross-train second person on ransomware playbook | People | IT Manager | YYYY-MM-DD | Second person passes walk-through | | A4 | Create standing war-room Teams channel | Technology | Collab Admin | YYYY-MM-DD | Channel exists, IC has owner role | | A5 | Status page admin: add 3rd recovery account on hardware token | Technology | IT Ops | YYYY-MM-DD | 3 admins confirmed | | A6 | Document emergency spend authority + amount thresholds | Process | CFO + CISO | YYYY-MM-DD | Policy approved, comms sent | | A7 | Insurance notification SOP (who, when, what) | Information | Risk Lead | YYYY-MM-DD | SOP approved | ## 9. Risk Register Update This exercise informs the risk register entry for **R-NNNN: Ransomware affecting critical IT infrastructure**: - Inherent risk: unchanged (L 3 x I 5 = 15) - Residual risk: changed — we discovered our recovery process is less mature than assumed. - Previous residual: 8 (L 2 x I 4) - Revised residual: 12 (L 3 x I 4) — until A1, A2, A3 complete Treatment plan items to add: A1, A2, A3, A4 from section 8. ## 10. Comparison to Previous Exercise If applicable. | Theme | Prior exercise | This exercise | Direction | |---|---|---|---| | Time to first internal comms | 25 min | 18 min | ▲ | | Time to first customer comms | 60 min | 35 min | ▲ | | Stand-in IC capability | Untested | Surfaced as gap | New finding | | Action items closed from prior debrief | 6 of 8 | — | 75% closure | ## 11. Recommended Next Exercise - **Scenario:** Cyber + supply-chain combination (e.g. ransomware in primary SaaS provider) - **Type:** Functional with parallel system bring-up - **Timing:** Q3 - **Pre-requisites:** Action items A1-A4 completed - **Aim:** Test exec decision-making under genuine ambiguity (regulator hasn't said anything; vendor RCA delayed) ## 12. Distribution - BCP Committee - Exec Sponsor - Participants and observers (as a thank-you and learning artefact) - (If regulator-relevant) Compliance team ## 13. Confidentiality Notes - Tabletop content is internal-restricted by default. - Anonymise quotes if shared widely. - If shared with insurer / regulator: review for any commercially sensitive detail. ``` ## Example invocation **User:** "/post-tabletop-debrief — yesterday we ran a 90-min tabletop on a ransomware scenario. 8 participants, 3 observers, IC was a stand-in because our usual one was on leave. We managed comms in 35 min but it took 18 min for exec sign-off because nobody knew who was authorised. Need a proper write-up by Friday for the BCP committee." **What the skill will do:** 1. Reconstruct the timeline from the bullet points provided. 2. Probe for the unspoken — what surprised people, what didn't happen, what assumptions were tested. 3. Surface the 18-min sign-off delay as a Process High-severity gap (not just an observation). 4. Convert observer notes into structured action items with owners. 5. Update the relevant risk register entry — explicitly noting the residual rating revision. 6. Produce a board-friendly summary that's honest without being alarming. ## Notes for the requester - **Capture immediately, write up within 5 days.** Memory degrades fast. Hot wash should happen at the end of the exercise; written debrief within 5 working days. - **Observer notes are gold — protect them.** Untranslated bullet points from observers are more honest than polished prose. Quote them. - **"What didn't happen" is half the value.** Tabletops surface the unspoken assumptions. The actions that should have been taken but weren't are the most actionable findings. - **Don't sanitise weaknesses.** If the IC fumbled, write that the IC role lacked depth — not that "the IC role was challenged". Auditors and regulators read between euphemisms. - **Action items must have a measurable success criterion.** "Document the sign-off path" is weak. "Path documented, tested in next exercise within 6 months" is testable. - **Compare exercise-to-exercise.** A debrief without a comparison line is half a debrief. Closure rate of prior actions is itself a programme metric. - **"Good" looks like:** the BCP committee approves the action register without follow-up. The next exercise can demonstrably point to actions closed since this one. The exec sponsor reads section 1 in 90 seconds and gets it.